Rights management in a hearing device

ABSTRACT

A hearing device includes: a processing unit configured to compensate for hearing loss of a user of the hearing device; and a memory unit; wherein the processing unit is configured to: obtain an access right certificate, the access right certificate comprising an access right identifier, verify the access right certificate, and if the access right certificate is verified, provide an access right according to the access right identifier.

RELATED APPLICATION DATA

This application is a continuation of U.S. patent application Ser. No.16/130,549 filed on Sep. 13, 2018, pending, which is a continuation ofU.S. patent application Ser. No. 14/793,515 filed on Jul. 7, 2015, nowU.S. Pat. No. 10,158,955, which claims priority to and the benefit ofDanish Patent Application No. PA 2015 70432, filed on Jul. 2, 2015, andEuropean Patent Application No. 15175135.1, filed on Jul. 2, 2015. Theentire disclosures of the above applications are expressly incorporatedby reference herein.

FIELD

The present disclosure relates to a hearing device and related method,in particular a method of operating a hearing device. Further, a methodof configuring a hearing device is disclosed.

BACKGROUND

Development and testing of hearing device software requires access to ahearing device and the functionalities of a hearing device. Securityarchitectures for hearing devices may limit the access and ability totest and run unauthorized software/firmware in a hearing device.Further, a hearing device manufacturer may in the interest of securityprevent or limit access to the hearing device, e.g. by preventing ahearing device from running or even downloading unauthorized software.Further, a hearing device manufacturer may be interested in limiting thesharing of or access to security material, such as keying material, forauthorizing firmware.

SUMMARY

There is a need for enabling a software developer to access and testsoftware applications on an otherwise secure hearing device.

Disclosed is a hearing device comprising a processing unit configured tocompensate for hearing loss of a user of the hearing device; a memoryunit; and an interface. The processing unit may be configured to obtainan access right certificate, the access right certificate optionallycomprising an access right identifier; verify the access rightcertificate; and if the access right certificate is verified, provide anaccess right according to the access right identifier.

Also disclosed is a method of operating a hearing device comprising aprocessing unit configured to compensate for hearing loss of a user ofthe hearing device; a memory unit; and an interface. The methodcomprises obtaining an access right certificate, the access rightcertificate optionally comprising an access right identifier; verifyingthe access right certificate; and if the access right certificate isverified, providing an access right according to the access rightidentifier.

Further, a method of configuring a hearing device is disclosed.

The method and apparatus as disclosed enables a software developer toaccess and test a hearing device on an otherwise secure hearing device,e.g. a hearing device that is configured only to run authorizedfirmware. Further, the present disclosure enables a hearing devicemanufacturer to limit access to authorizing firmware of a hearing devicewhile still enabling easy testing and development of hearing devicefirmware.

A hearing device manufacturer is further able to control whether aspecific hearing device can be used for software development and testingand to which degree. This may be advantageous since it may be desire toallow external developers to access the hearing device at a first leveland to allow internal developers to access the hearing device at asecond level different from the first level. For example, hearingdevices for internal developers may be granted full access, whilehearing devices for external developers may be granted a limited access.Further, hearing devices for software developers may be granted otheraccess rights than hearing devices for software developers.

The disclosed hearing device and method of operating a hearing devicesupports a hearing device in combatting attacks such as unauthorizedaccess or control of a hearing device, while still allowing access tolegitimate parties for e.g. R&D purposes, such as testing.

A hearing device includes: a processing unit configured to compensatefor hearing loss of a user of the hearing device; and a memory unit;wherein the processing unit is configured to: obtain an access rightcertificate, the access right certificate comprising an access rightidentifier, verify the access right certificate, and if the access rightcertificate is verified, provide an access right according to the accessright identifier.

Optionally, the access right certificate comprises a digital signature,and wherein the processing unit is configured to verify the access rightcertificate by verifying the digital signature.

Optionally, the access right certificate comprises a certificate typeidentifier, and wherein the processing unit is configured to verify theaccess right certificate by verifying the certificate type identifier.

Optionally, the access right certificate comprises one or more hardwareidentifiers, and wherein the processing unit is configured to verify theaccess right certificate by verifying at least one of the one or morehardware identifiers.

Optionally, the access right certificate comprises a hardware platformidentifier, a software platform identifier, a certificate timestamp, orany combination of the foregoing, and wherein the processing unit isconfigured to verify the access right certificate by verifying at leastone of the hardware platform identifier, the software platformidentifier, and the certificate timestamp.

Optionally, the processing unit is configured to obtain a firmwarecertificate and to verify the firmware certificate, and wherein theprocessing unit is configured to retrieve and verify the access rightcertificate if the firmware certificate is not verified.

Optionally, the processing unit is configured to grant full access tothe hearing device if the access right identifier is indicative ofallowance of the full access.

Optionally, the processing unit is configured to grant access to executeunauthorized firmware if the access right identifier is indicative ofallowance of the unauthorized firmware being execution.

Optionally, the processing unit is configured to grant access to storefirmware in the memory unit if the access right identifier is indicativeof allowance of the firmware being storing.

A method of operating a hearing device comprising a processing unitconfigured to compensate for hearing loss of a user of the hearingdevice and a memory unit, includes: obtaining an access rightcertificate, the access right certificate comprising an access rightidentifier; verifying the access right certificate; and if the accessright certificate is verified, providing an access right according tothe access right identifier.

Other features, advantageous, and/or embodiments will be described belowin the detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other features and advantages will become readily apparentto those skilled in the art by the following detailed description ofexemplary embodiments thereof with reference to the attached drawings,in which:

FIG. 1 schematically illustrates an exemplary architecture with ahearing device,

FIG. 2 schematically illustrates an exemplary hearing device,

FIG. 3 schematically illustrates an exemplary hearing devicecertificate,

FIG. 4 schematically illustrates an exemplary access right certificate,

FIG. 5 schematically illustrates a flowchart of an exemplary method,

FIG. 6 schematically illustrates a flowchart of an exemplary method,

FIG. 7 schematically illustrates an exemplary verification of an accessright certificate,

FIG. 8 schematically illustrates a flowchart of an exemplary method, and

FIG. 9 schematically illustrates a flowchart of an exemplary method.

DETAILED DESCRIPTION

Various embodiments are described hereinafter with reference to thefigures. Like reference numerals refer to like elements throughout. Likeelements will, thus, not be described in detail with respect to thedescription of each figure. It should also be noted that the figures areonly intended to facilitate the description of the embodiments. They arenot intended as an exhaustive description of the claimed invention or asa limitation on the scope of the claimed invention. In addition, anillustrated embodiment needs not have all the aspects or advantagesshown. An aspect or an advantage described in conjunction with aparticular embodiment is not necessarily limited to that embodiment andcan be practiced in any other embodiments even if not so illustrated, orif not so explicitly described.

It is an object of the present disclosure to provide a hearing device,and a method of operating a hearing device which seeks to mitigate,alleviate, or eliminate one or more of the above-identified deficienciesin the art and disadvantages singly or in any combination.

The present disclosure relates to improved security of a hearing devicewith maintained development flexibility.

As used herein, the term “hearing device” refers to a device configuredto assist a user in hearing a sound, such as a hearing instrument, ahearing aid device, a headset, a pair of headphones, etc.

As used herein, the term “certificate” refers to a data structure thatenables verification of its origin and content, such as verifying thelegitimacy and/or authenticity of its origin and content. Thecertificate is configured to provide a content that is associated to aholder of the certificate by an issuer of the certificate. Thecertificate comprises a digital signature, so that a recipient of thecertificate is able to verify or authenticate the certificate contentand origin. The certificate may comprise one or more identifiers and/orkeying material, such as one or more cryptographic keys (e.g. a hearingdevice key) enabling secure communication in a hearing device system.The certificate permits thus to achieve authentication of origin andcontent, non-repudiation, and/or integrity protection. The certificatemay further comprise a validity period, one or more algorithmparameters, and/or an issuer. A certificate may comprise a digitalcertificate, a public key certificate, an attribute certificate, and/oran authorization certificate.

As used herein the term “identifier” refers to a piece of data that isused for identifying, such as for categorizing, and/or uniquelyidentifying. The identifier may be in a form of a word, a number, aletter, a symbol, a list, an array or any combination thereof. Forexample, the identifier as a number may be in the form of an integer,such as unsigned integer, unit, with a length of e.g. 8 bits, 16 bits,32 bits, etc., such as an array of unsigned integers.

The present disclosure relates to a hearing device. The hearing devicecomprises a processing unit, a memory unit and an interface. The memoryunit may include removable and non-removable data storage unitsincluding, but not limited to, Read Only Memory (ROM), Random AccessMemory (RAM), etc. The memory unit may have a hearing device certificatestored thereon. The memory unit may have the hearing device certificatestored at a memory address of the memory unit, and/or in memory cells ofthe memory unit, such as in designated memory cells and/or at designatedaddresses. The hearing device may comprise a processing unit configuredto compensate for hearing loss of a user of the hearing device. Theinterface may comprise a wireless transceiver, e.g. configured forwireless communication at frequencies in the range from 2.4 to 2.5 GHz.In one or more exemplary hearing devices, the interface is configuredfor communication, such as wireless communication, with a client deviceand/or another hearing device, respectively comprising a wirelesstransceiver configured to receive and/or transmit data.

The processing unit is configured to obtain an access right certificate,e.g. from the memory unit and/or via the interface. To obtain an accessright certificate may comprise retrieving the access right certificatefrom the memory unit. Thus the access right certificate may be stored inthe memory unit of the hearing device. The access right certificate maycomprise an access right identifier. The access right identifier may beindicative of one or more access rights associated with the access rightcertificate/hearing device.

The access right certificate may comprise a digital signature, and toverify the access right certificate may comprise to verify the digitalsignature. The digital signature enables a proof or verification ofauthenticity of the access right certificate, such as verification ofthe signer legitimacy. The digital signature is optionally generated bya manufacturing device using a access right private key. The hearingdevice may be configured to verify the digital signature of the accessright certificate when obtaining. The digital signature is verifiable bythe hearing device using a corresponding access right public key. If thedigital signature is not successfully verified using the alleged publickey, the hearing device access right certificate is not verified. Thismay provide the advantage that the hearing device rejects an accessright certificate that is tampered or received from unauthenticatedparties.

The access right certificate may comprise a certificate type identifier.The certificate type identifier may indicate a type of the certificateamongst a variety of certificate types, such as a hearing device familycertificate type, a hearing device certificate type, a firmwarecertificate type, an access right certificate type, client devicecertificate type. The certificate type identifier may be used by thehearing device to identify what type of certificate it receives, stores,and/or retrieves/obtains. The access right certificate may comprise aversion identifier indicative of a data format version of thecertificate. The hearing device may be configured to use the certificatetype identifier and/or the version identifier to determine what type ofdata the certificate comprises and/or what type of data is comprised ina field of the certificate. For example, the hearing device maydetermine based on the certificate type identifier and/or versionidentifier what field of the certificate comprises a digital signatureand/or which public key is needed to verify the digital signature. Itmay be envisaged that there is a one-to-one mapping between thecertificate type identifier and the public-private key pair.

The access right certificate may comprise a signing device identifier.The signing device identifier refers to a unique identifier identifyingthe device (such as a manufacturing device, e.g. an integrated circuitcard, a smart card, a hardware security module) that has signed theaccess right certificate. The signing device identifier may for examplecomprise a medium access control, MAC, address of the signing deviceand/or a serial number. The signing device identifier optionally allowsfor example the hearing device to determine whether the signing deviceis e.g. black-listed or not, and thus to reject/not verify certificatessigned by a signing device that is black-listed.

The access right certificate may comprise one or more hardwareidentifiers. To verify the access right certificate may comprise toverify at least one of the one or more hardware identifiers. A hardwareidentifier may identify a piece of hardware comprised in the hearingdevice, such as a radio chip (part of the interface) comprised in thehearing device or the processing unit of the hearing device. A hardwareidentifier may be stored in a register of the piece of hardwarecomprised in the hearing device during manufacturing of the piece ofhardware. A hardware identifier may comprise a serial number, a mediumaccess control, MAC, address, a chip identifier, or any combinationthereof. The one or more hardware identifiers may include one or both ofa first hardware identifier indicative of a hardware identifier of theprocessing unit and a second hardware identifier indicative of ahardware identifier of the interface, such as a hardware identifier of aradio transceiver (radio chip) of the interface.

The access right certificate may comprise a hardware platformidentifier, e.g. indicative of a hardware platform of the hearingdevice. The hardware platform identifier may identify a hardwareplatform, such as an operational hearing device hardware platform, i.e.a hardware platform compatible with the hearing device.

The access right certificate may comprise a software platformidentifier, e.g. indicative of a software platform of the hearingdevice. The software platform identifier may identify a family ofsoftware platforms on which the hearing device is configured to operate.

The access right certificate may comprise a certificate timestamp. Thecertificate timestamp refers to a timestamp of production or manufactureof the access right certificate, such as a timestamp of themanufacturing device indicating a time instant when the access rightcertificate is generated. The certificate timestamp may be in form ofe.g.: hour, min, date, month, year.

The access right certificate may comprise an issuer identifier, e.g.indicative of the person who has signed the access right certificate.

The access right certificate may comprise an addressee identifier, e.g.indicative of the person/group requesting the access right certificate.

The processing unit is configured to verify the access rightcertificate.

To verify the access right certificate may be based on the hearingdevice certificate stored in the memory of the hearing device.

The hearing device certificate may comprise one or more hardwareidentifiers. A hardware identifier may identify a piece of hardwarecomprised in the hearing device, such as a radio chip (part of theinterface) comprised in the hearing device or the processing unit of thehearing device. A hardware identifier may be stored in a register of thepiece of hardware comprised in the hearing device during manufacturingof the piece of hardware. A hardware identifier may comprise a serialnumber, a medium access control, MAC, address, a chip identifier, or anycombination thereof. The one or more hardware identifiers of the hearingdevice certificate may include one or both of a first hardwareidentifier indicative of a hardware identifier of the processing unitand a second hardware identifier indicative of a hardware identifier ofthe interface, such as a hardware identifier of a radio transceiver(radio chip) of the interface.

The hearing device certificate may comprise a hardware platformidentifier, e.g. indicative of a hardware platform of the hearingdevice. The hardware platform identifier may identify a hardwareplatform, such as an operational hearing device hardware platform, i.e.a hardware platform compatible with the hearing device.

The hearing device certificate may comprise a software platformidentifier, e.g. indicative of a software platform of the hearingdevice. The software platform identifier may identify a family ofsoftware platforms on which the hearing device is configured to operate.

The hearing device certificate may comprise a certificate timestamp. Thecertificate timestamp refers to a timestamp of production or manufactureof the hearing device certificate, such as a timestamp of themanufacturing device indicating a time instant when the hearing devicecertificate is generated. The certificate timestamp may be in form ofe.g.: hour, min, date, month, year.

To verify the access right certificate may comprise to verify thecertificate type identifier.

To verify the access right certificate may comprise to verify theversion identifier, e.g. by verifying that the version indicated by theversion identifier is supported by the firmware.

To verify the access right certificate may comprise to verify at leastone of the one or more hardware identifiers. To verify at least one ofthe one or more hardware identifiers may be based on the actual valuesin the respective hardware registers and/or based on the hearing devicecertificate or at least parts thereof. To verify at least one of the oneor more hardware identifiers may comprise to verify that the firsthardware identifier of the access right certificate corresponds to theactual value of the corresponding hardware register. To verify at leastone of the one or more hardware identifiers may comprise to verify thatthe second hardware identifier of the access right certificatecorresponds to the actual value of the corresponding hardware register.To verify at least one of the one or more hardware identifiers maycomprise to verify that the first hardware identifier of the accessright certificate corresponds to the first hardware identifier of thehearing device. To verify at least one of the one or more hardwareidentifiers may comprise to verify that the second hardware identifierof the access right certificate corresponds to the second hardwareidentifier of the hearing device.

To verify the access right certificate may comprise to verify thesigning device identifier. To verify the signing device identifier maycomprise to verify that the signing device identifier is notblack-listed, e.g. by appearing on a list of black-listed signing deviceidentifiers. Verification then fails if the processing unit determinesthat the signing device identifier is black-listed.

To verify the access right certificate may comprise to verify thehardware platform identifier, e.g. based on the hearing devicecertificate or at least parts thereof. To verify the hardware platformidentifier may comprise to verify that the hardware platform identifierof the access right certificate corresponds to the hardware platformidentifier of the hearing device certificate.

To verify the access right certificate may comprise to verify thesoftware platform identifier, e.g. based on the hearing devicecertificate or at least parts thereof. To verify the software platformidentifier may comprise to verify that the software platform identifiercorresponds to the software platform identifier of the hearing devicecertificate.

To verify the access right certificate may comprise to verify thecertificate timestamp, e.g. based on the hearing device certificate orat least parts thereof. To verify the certificate timestamp may compriseto verify that the certificate timestamp of the access right certificateis later in time than the certificate timestamp of the hearing devicecertificate.

To obtain and verify the access right certificate may be conditional,e.g. based on verification of firmware, e.g. based on a firmwarecertificate. The processing unit may be configured to verify firmware.For example, the processing unit may be configured to obtain a firmwarecertificate, e.g. from the memory unit and/or via the interface, and toverify the firmware certificate, e.g. based on a digital signature ofthe firmware certificate. If the firmware, e.g. the firmwarecertificate, is not verified, the processing unit may be configured toobtain and verify the access right certificate and provide an accessright according to the access right identifier if the access rightcertificate is verified. A conditional verification of the access rightcertificate enables a powerefficient hearing device. In one or moreembodiments, the processing unit may be configured to determine if thefirmware, such as a digital signature of the firmware certificate, isindicative of being non-authorized. For example, the digital signatureof the firmware certificate may be set to a default value, e.g. zero, toindicate that the firmware is not authorized. Hereby, the hearing devicemay save complex and time/power consuming signature verification andproceed directly to obtaining an access right certificate. If thedigital signature of the firmware certificate is not equal to thedefault value, the processing unit may proceed to obtain an access rightcertificate.

The processing unit is configured to, e.g. if the access rightcertificate is verified, provide an access right according to the accessright identifier.

To provide an access right according to the access right identifier maycomprise to allow control of one or more hearing device features.

In one or more exemplary hearing devices, the processing unit isconfigured to grant full access to the hearing device if the accessright identifier is indicative of full access allowed. Thus, to providean access right according to the access right identifier may comprise togrant full access to the hearing device if the access right identifieris indicative of full access allowed. Full access to the hearing devicemay be defined as allowing access to read and write to all parts of thememory unit, to read from all hardware register and to write to allwritable hardware registers of the hearing device.

In one or more exemplary hearing devices, the processing unit isconfigured to grant access to tracing of one or more hardware registers,if the access right identifier is indicative of hardware register accessallowed. Thus, to provide an access right according to the access rightidentifier may comprise to grant access to tracing of one or morehardware registers, if the access right identifier is indicative ofhardware register access allowed.

In one or more exemplary hearing devices, the processing unit isconfigured to grant access to execute unauthorized firmware if theaccess right identifier is indicative of unauthorized firmware executionallowed. Thus to provide an access right according to the access rightidentifier may comprise to grant access to execute unauthorized firmwareif the access right identifier is indicative of unauthorized firmwareexecution allowed.

In one or more exemplary hearing devices, the processing unit isconfigured to grant access to store firmware in the memory unit if theaccess right identifier is indicative of firmware storing allowed. Thusto provide an access right according to the access right identifier maycomprise to grant access to store firmware in the memory unit if theaccess right identifier is indicative of firmware storing allowed.

Also disclosed is a hearing device, wherein the processing unit may beconfigured to obtain an access right certificate via the interface;verify the access right certificate; and, if the access rightcertificate is verified, store the access right certificate in thememory unit. Further, a method of configuring a hearing device isdisclosed, the method including obtaining an access right certificate;verifying the access right certificate; and, if the access rightcertificate is verified, storing the access right certificate in amemory unit of the hearing device.

The processing unit may be configured to, if the access rightcertificate is not verified, abort normal operation.

FIG. 1 schematically illustrates exemplary devices that may be used formanufacturing, development, maintenance/update of, and/or operating ahearing device 2. FIG. 1 shows an exemplary system 1 and a hearingdevice 2. The system 1 may comprise one or more of a manufacturingdevice 12, a server device 16 and a development device 18 formanufacturing, development, maintenance/update of, and/or operating thehearing device 2. The manufacturing device 12 may be configured totransmit/install a hearing device certificate in the hearing device. Thehearing device 2 may be configured to compensate for hearing loss of auser of the hearing device 2. The hearing device 2 may be configured tocommunicate with the manufacturing device 12 using e.g. a communicationlink 23, such as a uni or bi-directional communication link. Thecommunication link 23 may be a wired link and/or wireless communicationlink. The communication link 23 may be a single hop communication linkor a multi-hop communication link. The wireless communication link maybe carried over a short-range communication system, such as Bluetooth,Bluetooth low energy, IEEE 802.11, Zigbee. The hearing device 2 may beconfigured to receive a hearing device certificate from themanufacturing device 12 and to store the hearing device certificate in amemory unit comprised in the hearing device 2. Alternatively oradditionally, the manufacturing device 12 may store the hearing devicecertificate directly in the memory unit of the hearing device. Forexample, the manufacturing device 12 may write the hearing devicecertificate in the memory unit. For example, during manufacturing of thehearing device 2, the manufacturing device 12 connects to the hearingdevice 2 and transmits the hearing device certificate to the hearingdevice 2. The hearing device may receive and store the hearing devicecertificate. The hearing device 2 may be configured to connect to thedevelopment device 18 via a communication link 21, such as abidirectional communication link. The communication link 21 may be awired link and/or wireless communication link. The communication link 21may be a single hop communication link or a multi hop communicationlink. The wireless communication link may be carried over a short-rangecommunication system, such as Bluetooth, Bluetooth low energy, IEEE802.11, Zigbee. The hearing device 2 may configured to connect to thedevelopment device 18 over a network. The development device 18 may beconfigured to communicate with the server device 16 via a communicationlink 24, such as a bidirectional communication link. The communicationlink 24 may be a wired link and/or wireless communication link. Thecommunication link 24 may comprise a network, such as the Internet. Thedevelopment device 18 may be configured to communicate with the serverdevice 16 for maintenance, and update purposes. The server device 16 maycomprise a computing device configured to act as a server, i.e. to serverequests from the development device 18 and/or from the hearing device2. The server device 16 may be controlled by the hearing devicemanufacturer. The server device 16 may be configured to communicate withthe manufacturing device 12 via a communication link 22 formanufacturing maintenance, and/or operational purposes. The serverdevice 16 and the manufacturing device 12 may be co-located and/or formone entity for manufacturing maintenance, and/or operational purposes ofthe hearing device 2.

FIG. 2 schematically illustrates an exemplary hearing device 2. Thehearing device 2 comprises a processing unit 4, a memory unit 6 and aninterface 8. The hearing device 2 comprises a processing unit 4configured to compensate for hearing loss of a user of the hearingdevice 2. The interface 8 optionally comprises a wireless transceiver,e.g. configured for wireless communication at frequencies in the rangefrom 2.4 to 2.5 GHz. The interface 8 is configured for communication,such as wired and/or wireless communication, with a manufacturing device12 and/or a development device 18. The processing unit 4 may beconfigured to compensate for hearing loss of a user of the hearing aid.The hearing device 2 optionally comprises a microphone 5 or a pluralityof microphones for receiving sound signal(s) and converting soundsignal(s) into converted sound signal(s). In one or more exemplaryhearing devices, a wireless transceiver of the interface may alsoprovide one or more converted sound signal(s), e.g. from an externalsound source such as a mobile phone or sound system with wirelesstransmitter. The converted sound signal(s) may be an electrical and/ordigital version of the sound signal. The processing unit 4 is configuredto receive and process the converted sound signal(s) into a processedsound signal according to a hearing loss of a user of the hearing device2. The processed sound signal may be compressed and/or amplified or thelike. The hearing device 2 comprises an output transducer/loudspeaker 7,known as a receiver. The receiver 7 is configured to receive theprocessed sound signal and convert the processed sound signal to anoutput sound signal for reception by an eardrum of the user. A hearingdevice certificate 100 is stored in the memory unit 6. Further, anaccess right certificate 102 may be stored in the memory unit 6.Optionally, a firmware certificate 104 may be stored in the memory unit6. The processing unit 4 is configured to obtain an access rightcertificate by retrieving the access right certificate 102 from thememory unit. The access right certificate comprises an access rightidentifier. The processing unit 4 is configured to verify the accessright certificate; and if the access right certificate 100 is verified,provide an access right according to the access right identifier.

FIG. 3 schematically illustrates an exemplary hearing device certificate100. The hearing device certificate 100 optionally comprises a hearingdevice identifier 112, at least one hearing device key identifierincluding a first hearing device key identifier 114 indicative of ahearing device key and one or a plurality of hearing device keys. Thehearing device identifier 112 may refer to a unique or a pseudo-uniqueidentifier. The first hearing device key identifier 114 is indicative ofthe first hearing device key(s) of the hearing device certificate. Forexample, the first hearing device key identifier 114 may be indicativeof or point to a hearing device key of a first set 115 of hearing devicekeys (115A, 115B, 115C, 115D) of the hearing device certificate, e.g.the first primary hearing device key 115A. The hearing devicecertificate 100 optionally comprises two, three, four or more sets ofhearing device keys enabling secure communication with different clientdevices/client device types. The hearing device certificate 100comprises a first set 115 of hearing device keys including a firstprimary hearing device key 115A. The at least one hearing device keyidentifier comprises a first hearing device key identifier 114indicative of a hearing device key of the first set 115 of hearingdevice keys 115A, 115B, 115C, 115D. The first set 115 of hearing devicekeys comprises for example first primary key 115A, first secondary key115B, first tertiary key 115C, and first quaternary key 115D dedicatedto securing communication to and from a first client device or a firstclient device type. For example, the first set 115 of hearing deviceskey may be a set of hearing device keys 115A, 1158, 115C, 115D forsecuring communication of hearing device data with the first clientdevice.

The plurality of hearing device keys may comprise a second set 117 ofhearing device keys including a second primary hearing device key 117A,a second secondary hearing device key 117B, a second tertiary hearingdevice key 117C, and/or a second quaternary hearing device key 117D. Theat least one hearing device key identifier comprises a second hearingdevice key identifier 116 indicative of a hearing device key of thesecond set 117 of hearing device keys 117A, 117B, 117C, 117D. Thehearing device may be configured to communicate with one or more clientdevices, such as a first client device and/or a second client device.For each client device or client device type that the hearing device isconfigured to communicate with, the hearing device certificateoptionally comprises a set of hearing device keys configured to enablesecure communication with a specific client device or client devicetype. The hearing device certificate may comprise a third set 119 ofhearing device keys including a third primary hearing device key 119A, athird secondary hearing device key 119B, a third tertiary hearing devicekey 119C, and/or a third quaternary hearing device key 119D. The atleast one hearing device key identifier comprises a third hearing devicekey identifier 118 indicative of a hearing device key of the third set119 of hearing device keys. The hearing device certificate 100 maycomprise a fourth set of hearing device keys including a fourth primaryhearing device key (not shown). The at least one hearing device keyidentifier comprises a fourth hearing device key identifier indicativeof a hearing device key of the fourth set of hearing device keys. Thehearing device 2 may be configured to select a set of hearing devicekeys based on the client device or the client device type connected tothe hearing device and to select a hearing device key from the set ofhearing device keys selected based on the hearing device key identifierassociated with the selected set of hearing devices.

The hearing device certificate 100 comprises a certificate typeidentifier 130. The certificate type identifier 130 indicates that thehearing device certificate 100 is a hearing device certificate, e.g.selected amongst a variety of certificate types, such as a hearingdevice family certificate type, a hearing device certificate type, afirmware certificate type, an access right certificate type, and aclient device certificate type. The certificate type identifier 130 maybe used to enable the hearing device 2 to identify what type ofcertificate it receives, stores, authenticates and/or retrieves. Thehearing device certificate 100 may comprise a version identifier whichindicates a data format version of the hearing device certificate. Thehearing device 2 may use the certificate type identifier 130 and/or theversion identifier to determine what type of data the hearing devicecertificate 100 comprises, what type of data is comprised in a field ofthe hearing device certificate 100. For example, the hearing device 2may determine based on the certificate type identifier 130 and/orversion identifier what field of the certificate comprises a digitalsignature 113, and which public key is needed to verify the digitalsignature 113. It may be envisaged that there is a one-to-one mappingbetween the certificate type identifier 130 and the public-private keypair used for generating the digital signature 113. The hearing devicecertificate 100 may comprise a length identifier that indicates thelength of the hearing device certificate 100, e.g. in bits, bytes.

The hearing device certificate 100 optionally comprises a signing deviceidentifier 136. The signing device identifier 136 refers to a uniqueidentifier identifying the device (such as a manufacturing device 12,e.g. an integrated circuit card, a smart card, a hardware securitymodule comprised in a manufacturing device 12) that has signed thehearing device certificate 100. The signing device identifier 136 mayfor example comprise a medium access control, MAC, address of thesigning device, a serial number. The signing device identifier 136allows for example the hearing device 2 to determine whether the signingdevice is e.g. black-listed or not, and thus to reject hearing devicecertificates 100 signed by a signing device that is black-listed.

The hearing device certificate 100 optionally comprises one or morehardware identifiers including a first hardware identifier 148 and/or asecond hardware identifier 150. The first hardware identifier 148 isindicative of a hardware identifier of the processing unit 4 and isstored in a register of the processing unit 4. The first hardwareidentifier 148 may comprise a serial number, a medium access control,MAC, address, a chip identifier, or any combination thereof. The secondhardware identifier 150 is indicative of a hardware identifier of theinterface, such as a radio chip, and is stored in a register of theinterface 8. The hearing device 2 may, e.g. at start-up, verify thehearing device certificate 100 by comparing the first hardwareidentifier 148 and the actual value of the corresponding register. Thisway, the hearing device 2 may determine if the hearing devicecertificate stored in the hearing device is intended for the hearingdevice 2 and reject the hearing device certificate if the hardwareidentifiers of the hearing device certificate do not match the hardwaremodule register values of hearing device hardware.

The hearing device certificate 100 optionally comprises one or more of ahardware platform identifier 138, a software platform identifier 140,and/or a certificate timestamp 142. The hardware platform identifier 138may identify a hardware platform, such as an operational hearing devicehardware platform, i.e. a hardware platform on which the hearing devicecertificate may be used. The software platform identifier 140 mayidentify a family of software platforms on which the hearing devicecertificate is configured to operate. The certificate timestamp 142refers to a timestamp of production or manufacture of the hearing devicecertificate 100, such as a timestamp of the manufacturing device 12indicating a time instant when the hearing device certificate 100 isgenerated. The certificate timestamp 142 may be in form of e.g.: hour,min, date, month, year.

The hearing device certificate 100 comprises a digital signature 113and/or a MAC. The digital signature 113 enables a proof or verificationof authenticity and/or content of the hearing device certificate 100,such as verification of the signer legitimacy (e.g. whether the signeris a legitimate manufacturing device). The digital signature 113 isgenerated by the manufacturing device 12 using a device family privatekey during manufacturing of the hearing device.

FIG. 4 schematically illustrates an exemplary access right certificate102. The access right certificate 102 comprises a digital signature 113and/or a MAC. The digital signature 113 enables a proof or verificationof authenticity and/or content of the access right certificate 102, suchas verification of the signer legitimacy (e.g. whether the signer is alegitimate manufacturing device). The digital signature 113 is generatedby a signing device using an access right private key.

The access right certificate 102 comprises a certificate type identifier130. The certificate type identifier 130 indicates that the access rightcertificate 102 is an access right certificate, e.g. selected amongst avariety of certificate types, such as a hearing device familycertificate type, a hearing device certificate type, a firmwarecertificate type, an access right certificate type, a security settingscertificate, and a client device certificate type. The certificate typeidentifier 130 may be used to enable the hearing device 2 to identifywhat type of certificate it receives, stores, authenticates and/orretrieves. The access right certificate 102 may comprise a versionidentifier 132 indicative of data format version of the access rightcertificate 102. The hearing device 2 may use the certificate typeidentifier 130 and/or the version identifier 132 to determine what typeof data the access right certificate 102 comprises and/or what type ofdata is comprised in a field of the access right certificate 102. Theaccess right certificate 102 may comprise a length identifier 134 thatindicates the length of the access right certificate 102, e.g. in bits,bytes. For example, the hearing device 2 may determine based on thecertificate type identifier 130, the version identifier 132 and/or thelength identifier 134 what field of the certificate 102 comprisesdigital signature 113, and which public key is needed to verify thedigital signature 113. It may be envisaged that there is a one-to-onemapping between the certificate type identifier 130 and thepublic-private key pair used for generating the digital signature 113.

The access right certificate 102 optionally comprises a signing deviceidentifier 136. The signing device identifier 136 refers to a uniqueidentifier identifying the device (such as a manufacturing device 12,e.g. an integrated circuit card, a smart card, a hardware securitymodule comprised in a manufacturing device 12) that has signed theaccess right certificate 102. The signing device identifier 136 may forexample comprise a medium access control, MAC, address of the signingdevice, a serial number. The signing device identifier 136 allows forexample the hearing device 2 to determine whether the signing device ise.g. black-listed or not, and thus to reject an access right certificate102 signed by a signing device that has been black-listed, e.g. based onsigning device revocation identifier(s) of secondary security settings.

The access right certificate 102 optionally comprises one or more of ahardware platform identifier 138, a software platform identifier 140,and/or a certificate timestamp 142. The hardware platform identifier 138may identify a hardware platform, such as an operational hearing devicehardware platform, i.e. a hardware platform on which the hearing devicecertificate may be used. The software platform identifier 140 mayidentify a family of software platforms on which the hearing devicecertificate is configured to operate. The certificate timestamp 142refers to a timestamp of production or manufacture of the access rightcertificate 102, such as a timestamp of the manufacturing device 12indicating a time instant when the access right certificate 102 wasgenerated. The certificate timestamp 142 may be in form of e.g.: hour,min, date, month, year.

The access right certificate 102 comprises a first hardware identifier148 indicative of a hardware identifier of the processing unit 4.Optionally, the access right certificate 102 may comprise furtherhardware identifiers indicative of respective further hardwareidentifiers of the processing unit 4. The access right certificate 102comprises a second hardware identifier 150 indicative of a hardwareidentifier of the radio transceiver (radio chip) of the interface 8.Optionally, the access right certificate 102 may comprise furtherhardware identifiers indicative of respective further hardwareidentifiers of the interface 8.

The access right certificate 102 may comprise an issuer identifier 152.indicative of the person who has signed the access right certificate.The access right certificate 102 may comprise an addressee identifier154 indicative of the person/group requesting the access rightcertificate 102.

The access right certificate 102 comprises a digital signature 113and/or a MAC. The digital signature 113 enables a proof or verificationof authenticity and/or content of the access right certificate 102, suchas verification of the signer legitimacy (e.g. whether the signer is alegitimate manufacturing device). The digital signature 113 is generatedby the manufacturing device 12 using an access right private key, e.g.during manufacturing of the hearing device.

FIG. 5 schematically illustrates a flowchart of an exemplary method ofoperating a hearing device comprising a processing unit configured tocompensate for hearing loss of a user of the hearing device; a memoryunit; and an interface. The method 500 comprises obtaining S1 an accessright certificate, e.g. access right certificate 102, by retrieving theaccess right certificate from the memory unit, the access rightcertificate comprising an access right identifier. The method 500proceeds to verifying S2 the access right certificate; and if the accessright certificate is verified S3, providing S4 an access right accordingto the access right identifier, wherein providing S4 an access rightcomprises granting S41 access to execute unauthorized firmware if theaccess right identifier is indicative of unauthorized firmware executionallowed. Providing S4 an access right optionally comprises granting S42access to store firmware in the memory unit if the access rightidentifier is indicative of firmware storing allowed.

Providing S4 an access right optionally comprises granting S43 access totracing of one or more hardware registers, if the access rightidentifier is indicative of hardware register access allowed.

FIG. 6 schematically illustrates a flowchart of an exemplary method ofconfiguring a hearing device. The method 502 includes obtaining S1 anaccess right certificate via an interface of the hearing device andverifying S2 the access right certificate. The method 502 comprises, ifthe access right certificate is verified S3, storing S6 the access rightcertificate in a memory unit of the hearing device.

FIG. 7 schematically illustrates an exemplary verification of an accessright certificate e.g. using a processing unit of a hearing device. Toverify or verifying S2 the access right certificate comprises to verifyS21 the certificate type identifier of the access right certificate 102and to verify S22 the version identifier of the access right certificate102 by verifying that the version indicated by the version identifier issupported by the firmware.

To verify or verifying S2 the access right certificate comprises toverify S23 at least one, such as the first hardware identifier and/orthe second hardware identifier, of the one or more hardware identifiersbased on the actual values of respective hardware registers and/orcorresponding respective hardware identifiers of the hearing devicecertificate.

To verify or verifying S2 the access right certificate comprise toverify S24 the hardware platform identifier, the software platformidentifier and the certificate timestamp of the access right certificatebased on the hearing device certificate or at least parts thereof, e.g.based on respective hardware platform identifier, software platformidentifier and certificate timestamp of the hearing device certificate.

To verify or verifying S2 the access right certificate comprises toverify S25 the signing device identifier by verifying that the signingdevice identifier is not black-listed, e.g. by appearing on a list ofblack-listed signing device identifiers stored in the memory unit.

To verify or verifying S2 the access right certificate comprises toverify S26 the digital signature of the access right certificate usingan access right public key stored in the memory unit.

If any of S21, S22, S23, S24, S25, S26 results in non-verification, theaccess right certificate is not verified S28. The order of S21, S22,S23, S24, S25, and S26 may be changed. If all of S21, S22, S23, S24,S25, and S26 succeed, the access right certificate is verified S27. Theprocessing unit may be configured to verify S21, S22, S23, S24, S25, andS26.

FIG. 8 schematically illustrates a flowchart of an exemplary method ofoperating a hearing device comprising a processing unit configured tocompensate for hearing loss of a user of the hearing device; a memoryunit; and an interface. The method 500′ comprises verifying S7 thefirmware e.g. by verifying the digital signature of a firmwarecertificate. The firmware certificate may be stored in the memory unitof the hearing device or received from a development device or otherclient device, e.g. a fitting device, configured to transmit data to thehearing device via the interface. If the firmware is not verified, themethod proceeds to obtaining S1 an access right certificate. If thefirmware is verified, the method 500′ proceeds to normal operation S9.

FIG. 9 schematically illustrates a flowchart of an exemplary method ofoperating a hearing device comprising a processing unit configured tocompensate for hearing loss of a user of the hearing device; a memoryunit; and an interface. The method 500″ comprises verifying S7 thefirmware. Verifying S7 the firmware comprises obtaining S71 a firmwarecertificate, e.g. from the memory unit and/or via the interface, andverifying S72 the firmware certificate by verifying a digital signatureof the firmware certificate. Verifying S7 the firmware is successful ifthe digital signature of the firmware certificate is verified.

Exemplary hearing devices and methods are set out in the followingitems.

Item 1. A hearing device comprising

-   -   a processing unit configured to compensate for hearing loss of a        user of the hearing device;    -   a memory unit; and    -   an interface,        wherein the processing unit is configured to:        obtain an access right certificate, the access right certificate        comprising an access right identifier;        verify the access right certificate; and        if the access right certificate is verified, provide an access        right according to the access right identifier.

Item 2. Hearing device according to item 1, wherein the access rightcertificate comprises a digital signature, and wherein to verify theaccess right certificate comprises to verify the digital signature.

Item 3. Hearing device according to any of items 1-2, wherein the accessright certificate comprises a certificate type identifier, and whereinto verify the access right certificate comprises to verify thecertificate type identifier.

Item 4. Hearing device according to any of items 1-3, wherein the accessright certificate comprises a version identifier, and wherein to verifythe access right certificate comprises to verify the version identifier.

Item 5. Hearing device according to any of items 1-4, wherein the accessright certificate comprises one or more hardware identifiers, andwherein to verify the access right certificate comprises to verify atleast one of the one or more hardware identifiers.

Item 6. Hearing device according to item 5, wherein the one or morehardware identifiers includes one or both of a first hardware identifierindicative of a hardware identifier of the processing unit and a secondhardware identifier indicative of a hardware identifier of theinterface.

Item 7. Hearing device according to any of items 1-6, wherein the accessright certificate comprises a signing device identifier, and wherein toverify the access right certificate comprises to verify the signingdevice identifier.

Item 8. Hearing device according to any of items 1-7, wherein the accessright certificate comprises one or more of a hardware platformidentifier, a software platform identifier, and/or a certificatetimestamp, and wherein to verify the access right certificate comprisesto verify at least one of the hardware platform identifier, the softwareplatform identifier, and the certificate timestamp.

Item 9. Hearing device according to any of items 1-8, wherein thehearing device has a hearing device certificate stored in the memoryunit, wherein to verify the access right certificate is based on thehearing device certificate.

Item 10. Hearing device according to any of items 1-9, wherein toprovide an access right according to the access right identifiercomprises to allow control of one or more hearing device features.

Item 11. Hearing device according to any of items 1-10, wherein theaccess right certificate comprises an issuer identifier and/or anaddressee identifier.

Item 12. Hearing device according to any of items 1-11, wherein theprocessing unit is configured to obtain a firmware certificate and toverify the firmware certificate, and wherein the processing unit isconfigured to retrieve and verify the access right certificate if thefirmware certificate is not verified.

Item 13. Hearing device according to any of items 1-12, wherein theprocessing unit is configured to, if the access right certificate is notverified, abort normal operation.

Item 14. Hearing device according to any of items 1-13, wherein toobtain an access right certificate comprises retrieving the access rightcertificate from the memory unit.

Item 15. Hearing device according to any of items 1-14, wherein theprocessing unit is configured to grant full access to the hearing deviceif the access right identifier is indicative of full access allowed.

Item 16. Hearing device according to any of items 1-15, wherein theprocessing unit is configured to grant access to tracing of one or morehardware registers, if the access right identifier is indicative ofhardware register access allowed.

Item 17. Hearing device according to any of the items 1-16, wherein theprocessing unit is configured to grant access to execute unauthorizedfirmware if the access right identifier is indicative of unauthorizedfirmware execution allowed.

Item 18. Hearing device according to any of items 1-17, wherein theprocessing unit is configured to grant access to store firmware in thememory unit if the access right identifier is indicative of firmwarestoring allowed.

Item 19. Method of operating a hearing device comprising a processingunit configured to compensate for hearing loss of a user of the hearingdevice; a memory unit; and an interface, the method comprising

obtaining an access right certificate, the access right certificatecomprising an access right identifier;verifying the access right certificate; andif the access right certificate is verified, providing an access rightaccording to the access right identifier.

The use of the terms “first”, “second”, “third” and “fourth”, etc. doesnot imply any particular order, but are included to identify individualelements. Moreover, the use of the terms first, second, etc. does notdenote any order or importance, but rather the terms first, second, etc.are used to distinguish one element from another. Note that the wordsfirst and second are used here and elsewhere for labelling purposes onlyand are not intended to denote any specific spatial or temporalordering. Furthermore, the labelling of a first element does not implythe presence of a second element and vice versa.

Although particular features have been shown and described, it will beunderstood that they are not intended to limit the claimed invention,and it will be made obvious to those skilled in the art that variouschanges and modifications may be made without departing from the spiritand scope of the claimed invention. The specification and drawings are,accordingly to be regarded in an illustrative rather than restrictivesense. The claimed invention is intended to cover all alternatives,modifications and equivalents.

LIST OF REFERENCES

-   -   1 system    -   2 hearing device    -   3 processing unit    -   4 microphone    -   5 memory unit    -   6 receiver    -   7 interface    -   10 client device    -   12 manufacturing device    -   16 server device    -   18 development device    -   21 communication link between client device and hearing device    -   22 communication link between server device and manufacturing        device    -   23 communication link between hearing device and manufacturing        device    -   24 communication link between server device and client        device/fitting device    -   100 hearing device certificate    -   102 access right certificate    -   104 firmware certificate    -   112 hearing device identifier    -   113 digital signature    -   114 first hearing device key identifier    -   115 first set of hearing device keys    -   115A first primary hearing device key    -   115B first secondary hearing device key    -   115C first tertiary hearing device key    -   115D first quaternary hearing device key    -   116 second hearing device key identifier    -   117 second set of hearing device keys    -   117A second primary hearing device key    -   117B second secondary hearing device key    -   117C second tertiary hearing device key    -   117D second quaternary hearing device key    -   118 third hearing device key identifier    -   119 third set of hearing device keys    -   119A third primary hearing device key    -   119B third secondary hearing device key    -   119C third tertiary hearing device key    -   119D third quaternary hearing device key    -   130 certificate type identifier    -   136 signing device identifier    -   138 hardware platform identifier    -   140 software platform identifier    -   142 certificate timestamp    -   148 first hardware identifier    -   150 second hardware identifier    -   152 issuer identifier    -   154 addressee identifier    -   500, 500′, 500″ method of operating a hearing device    -   502 method of configuring a hearing device    -   S1 obtaining an access right certificate    -   S2 verifying the access right certificate    -   S3 verification of access right certificate ok?    -   S4 providing an access right    -   S5 abort normal operation    -   S6 storing the access right certificate    -   S7 verifying the firmware    -   S8 verification of firmware ok?    -   S9 normal operation

1. A hearing device comprising: a processing unit configured tocompensate for hearing loss of a user of the hearing device; and amemory unit; wherein the processing unit is configured to: obtain anaccess right certificate, the access right certificate comprising anaccess right identifier, verify the access right certificate, and if theaccess right certificate is verified, provide an access right accordingto the access right identifier.
 2. The hearing device according to claim1, wherein the access right certificate comprises a digital signature,and wherein the processing unit is configured to verify the access rightcertificate by verifying the digital signature.
 3. The hearing deviceaccording to claim 1, wherein the access right certificate comprises acertificate type identifier, and wherein the processing unit isconfigured to verify the access right certificate by verifying thecertificate type identifier.
 4. The hearing device according to claim 1,wherein the access right certificate comprises one or more hardwareidentifiers, and wherein the processing unit is configured to verify theaccess right certificate by verifying at least one of the one or morehardware identifiers.
 5. The hearing device according to claim 1,wherein the access right certificate comprises a hardware platformidentifier, a software platform identifier, a certificate timestamp, orany combination of the foregoing, and wherein the processing unit isconfigured to verify the access right certificate by verifying at leastone of the hardware platform identifier, the software platformidentifier, and the certificate timestamp.
 6. The hearing deviceaccording to claim 1, wherein the processing unit is configured toobtain a firmware certificate and to verify the firmware certificate,and wherein the processing unit is configured to retrieve and verify theaccess right certificate if the firmware certificate is not verified. 7.The hearing device according to claim 1, wherein the processing unit isconfigured to grant full access to the hearing device if the accessright identifier is indicative of allowance of the full access.
 8. Thehearing device according to claim 1, wherein the processing unit isconfigured to grant access to execute unauthorized firmware if theaccess right identifier is indicative of allowance of the unauthorizedfirmware being execution.
 9. The hearing device according to claim 1,wherein the processing unit is configured to grant access to storefirmware in the memory unit if the access right identifier is indicativeof allowance of the firmware being storing.
 10. A method of operating ahearing device comprising a processing unit configured to compensate forhearing loss of a user of the hearing device and a memory unit, themethod comprising: obtaining an access right certificate, the accessright certificate comprising an access right identifier; verifying theaccess right certificate; and if the access right certificate isverified, providing an access right according to the access rightidentifier.